From 2d7b80bf5a7b67816dbf57af2b7ae33347b24d5f Mon Sep 17 00:00:00 2001 From: Mohamed ElKalioby Date: Mon, 10 Oct 2022 17:35:26 +0300 Subject: [PATCH] Fixing CVE-2022-42731 --- CHANGELOG.md | 8 ++++++++ mfa/FIDO2.py | 2 +- setup.py | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 163cea1..179ef56 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,12 @@ # Change Log +## 2.6.1 +* Fix: CVE-2022-42731: related to the possibility of registration replay attack. + Thanks to 'SSE (Secure Systems Engineering)' + +## 2.5.1 +* Fix: CVE-2022-42731: related to the possibility of registration replay attack. + Thanks to 'SSE (Secure Systems Engineering)' + ## 2.6.0 * Adding Backup Recovery Codes (Recovery) as a method. Thanks to @Spitfireap for work, and @peterthomassen for guidance. diff --git a/mfa/FIDO2.py b/mfa/FIDO2.py index ae9a6aa..bd78ef0 100644 --- a/mfa/FIDO2.py +++ b/mfa/FIDO2.py @@ -57,7 +57,7 @@ def complete_reg(request): att_obj = AttestationObject((data['attestationObject'])) server = getServer() auth_data = server.register_complete( - request.session.pop['fido_state'], + request.session.pop('fido_state'), client_data, att_obj ) diff --git a/setup.py b/setup.py index 3be7c2d..ef9b766 100644 --- a/setup.py +++ b/setup.py @@ -4,7 +4,7 @@ setup( name='django-mfa2', - version='2.6.0', + version='2.6.1', description='Allows user to add 2FA to their accounts', long_description=open("README.md").read(), long_description_content_type="text/markdown",